This script generates a payload for use with Responder.
- Generate a payload with
main.py - Copy and paste the one-liner output into the
WPADScriptfield ofResponder.conf.
test@test:~$ python3 main.py --help
usage: main.py [-h] [-o OUT] cmd
Jackson T. jthuraisamy
jthuraisamy
/ gist:7c694490fa2718134fe766740d1668b3
Created
October 10, 2016 00:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am jthuraisamy on github. | |
| * I am jthuraisamy (https://keybase.io/jthuraisamy) on keybase. | |
| * I have a public key whose fingerprint is 3CC0 1B4C 2920 F44E 8973 2DFD 764F 2E48 2337 A611 | |
| To claim this, I am signing this object: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # -*- coding: utf-8 -*- | |
| # References: | |
| # 1. https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/ | |
| # 2. https://room362.com/post/2016/smb-http-auth-capture-via-scf/ | |
| from argparse import ArgumentParser | |
| from configparser import RawConfigParser |
jthuraisamy
/ README.md
Last active
September 25, 2019 10:18
CVE-2017-11907 WPAD.dat Generator for Responder
jthuraisamy
/ syscall.asm
Last active
November 23, 2019 18:33
System Call Detection at Runtime (NtCreateFile example)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .code | |
| NtCreateFile PROC | |
| mov rax, gs:[60h] | |
| NtCreateFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 |
jthuraisamy
/ syscalls.asm
Last active
November 24, 2019 22:18
AV/EDR Evasion with Direct System Calls (x64)
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .code | |
| NtAcceptConnectPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAcceptConnectPort_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAcceptConnectPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 |
jthuraisamy
/ _Instructions_Reproduce.md
Created
April 30, 2020 06:28
GhostLoader - AppDomainManager - Injection - 攻壳机动队
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
jthuraisamy
/ funcnames_from_logger.py
Last active
July 13, 2020 01:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Recover function names from logger function calls. | |
| #@author @Jackson_T | |
| #@category _NEW_ | |
| #@keybinding | |
| #@menupath | |
| #@toolbar | |
| import re | |
| from ghidra.program.model.symbol import SourceType |
jthuraisamy
/ dll-proxying.py
Created
December 18, 2019 15:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os.path | |
| import pefile | |
| print('#pragma once') | |
| target_dll = r'target.dll' | |
| pe = pefile.PE(target_dll) | |
| for export in pe.DIRECTORY_ENTRY_EXPORT.symbols: | |
| if export.name: | |
| name = export.name.decode() |
| IDA Plugins | Preferred | Neutral | Unreviewed |
|---|
jthuraisamy
/ README.md
Last active
April 16, 2023 06:06
PyExZ3 Example with HackSysExtremeVulnerableDriver
TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex
OlderNewer